Troubleshhot Process Monitor

The new version of Process Monitor combines the old Process Monitor tool with the File Monitor (FileMon) and Registry Monitor (RegMon) tools.  Process Monitor is one of the most versatile tools to use in troubleshooting.  Issues the Process Monitor is use for include:   Troubleshoot Application Failures (installs and uninstalls, launch failures etc) Troubleshoot File System […]

The new version of Process Monitor combines the old Process Monitor tool with the File Monitor (FileMon) and Registry Monitor (RegMon) tools.  Process Monitor is one of the most versatile tools to use in troubleshooting.  Issues the Process Monitor is use for include:

 

  • Troubleshoot Application Failures (installs and uninstalls, launch failures etc)
  • Troubleshoot File System issues (access, permissions, etc)
  • Troubleshoot Registry issues (access, permissions, etc)
  • Enable Boot logging to monitor the system from boot
  • Examine the stack of an Application
  • Troubleshoot misleading error messages
  • Determine the registry settings for an application

Setting up Process Monitor is very easy - there's actually no real setup required!

  1. Download Process Monitor 
  2. Extract the .zip file, and run Procmon.exe
  3. Click Agree to the EULA screen
  4. Process Monitor will start logging automatically

Now that you have Process Monitor up and running, let's quickly point out a couple of features on the interface:

image In the main toolbar, you'll see this set of buttons.  By toggling these buttons on / off, you can choose whether or not to view the Registry Activity, the File System Activity and the Process / Thread activity.

If you double click on an event in the log you can bring up the property sheet for that event which includes basic information about the event on the first tab.  The Process Tab includes information about the path, the Process ID, the Parent Process ID, the User and relevant DLL files.  Finally, the Stack tab provides a very basic view of the stack for that event.  The stack output indicates Kernel-mode calls with a "K" and User-mode calls with a "U".  If Process Monitor is able to locate symbols for images referenced in the trace it will attempt to resolve addresses to the functions in which they reside.

You can also configure Process Monitor to log activity very early in the boot process - during the initialization of boot-start device drivers.  To configure Boot Logging, select "Enable Boot Logging" from the Options Menu.

Let's take a look at a couple of sample scenarios that I set up:

Scenario 1: Uninstalling an Application 

Here is an example of  PowerShell - the trial version of PowerGadgets to create Powershell Gadgets, which is  expired, so we have to uninstall the software.  When we tried to uninstall the software, we encountered the following error:

 clip_image0021

It looks like there's a problem with this file.  When checked the Power Gadgets folder in Program files directory, and we see the correct .ifx file there, so what's the problem?  Time to fire up Process Monitor and track down the real failure ...

Now, launch a Process Monitor capture and tried to uninstall the program again.  This time, you can see that there's a "PATH NOT FOUND" error logged in Process Monitor. 

 clip_image0041

Now we know where the problem is!  The program is looking for C:\Program Files\PowerGadgets - but the actual file path is C:\Program Files\Power Gadgets - there's a space in the folder name.  To be fair, the original error message shows that the uninstaller is looking for a folder without a space in the name, but it was overlooked,  the first time!

 clip_image0061

After renaming the folder to “PowerGadgets”, the uninstall works as expected.

 clip_image0081

Continue for more info....

Additional Resources:

Microsoft, Windows, Process Monitor, Troubleshooting, Knowledgebase